Latest news of the domain name industry

Recent Posts

Verisign says Afilias tried to “rig” $135 million .web auction

Kevin Murphy, December 17, 2018, Domain Services

Verisign has jumped back into the fight for the .web gTLD, all guns blazing, with a claim that Afilias offered millions in an attempt to “rig” a private auction for the string.

The .com behemoth accused Afilias last week of “collusive and anti-competitive efforts to rig the [.web] auction in its favor”.

It claims that Afilias offered rival bidder — and secret Verisign stooge — Nu Dot Co up to $17 million if it would participate in a private auction, and then tried to contact NDC during the auction’s “Blackout Period”.

The claims came in an amicus brief (pdf) filed by Verisign as part of Afilias’ Independent Review Process proceeding against ICANN.

The IRP is Afilias’ attempt to overturn the result of the July 2016 .web auction, in which NDC paid ICANN $135 million of Verisign’s money in exchange for the exclusive rights to .web

While neither Verisign nor NDC are parties to the IRP, they’re both attempting to become amicus curiae — “friends of the court” — giving them the right to provide evidence and arguments to the IRP panel.

Verisign argues that its rights would be seriously impacted by the proceeding — Afilias is looking for an emergency ruling preventing .web being delegated — because it won’t be able to bring .web to market.

But it’s also attempting to have the IRP thrown out altogether, on the basis of claims that Afilias broke the auction rules and has “unclean hands”.

Verisign’s brief states:

Afilias and other bidders proposed that a private auction be performed pursuant to collusive and potentially illegal terms about who could win and who would lose the auction, including guarantees of auction proceeds to certain losers of the auction.

NDC CFO Jose Rasco provides as evidence screenshots (pdf) of a text-message conversation he had with Afilias VP of sales Steve Heflin on June 7, 2016, in which Heflin attempts to persuade NDC to go to a private auction.

Every other member of the contention set at that point had agreed to a private auction, in which the winning bid would be shared out among the losers.

NDC was refusing to play along, because it had long ago secretly agreed to bid on behalf of Verisign, and was forcing a last-resort ICANN auction in which ICANN would receive the full sum of the winning bid. 

In that SMS conversation, Heflin says: “Can’t give up…how about I guarantee you score at least 16 mil if you go to private auction and lose?” followed by three money-bag emojis that I refuse to quote here on general principle.

Rasco responds with an offer to sell Afilias the .health gTLD, then just weeks away from launch, for $25 million.

Heflin ignores the offer and ups his .web offer to $17.02 million.

Given that it was a contention set of seven applicants, that suggests Afilias reckoned .web was going to sell for at least $100 million.

Verisign claims: “Afilias’s offers to ‘guarantee’ the amount of a payment to NDC as a losing bidder are an explicit offer to pay off NDC to not compete with Afilias in bidding on .web.”

Rasco also provides evidence that Schlund, another .web applicant, attempted to persuade NDC to join what it called an “Alternative Private Auction”.

This process would have divided bidders into “strong” and “weak” categories, with “strong” losing bidders walking away with a greater portion of the winning bid than the “weak” ones.

Verisign and NDC also claims that Afilias broke ICANN’s auction rules when VP John Kane texted Rasco to say: “If ICANN delays the auction next week would you again consider a private auction?”

That text was received July 22, four days before the auction and one day into the so-called “Blackout Period”, during which ICANN auction rules (pdf)  prohibit bidders from “cooperating or collaborating” with each other.

At that time, .web applicants Schlund and Radix already suspected Verisign was bankrolling NDC, and they were trying to get the auction delayed.

According to Verisign, Kane’s text means Afilias violated the Blackout rules and therefore it should lose its .web application entirely.  

The fact that these rules proscribe “collaborating” during the Blackout suggests that collaborating at other times was actually envisaged, which in turn suggests that Heflin’s texts may not be as naughty as Verisign claims.

Anyway, I think it’s fair to say the gloves, were they ever on, have come off.

Weighing in at over 1,000 pages, the combined amicus briefs and attached exhibits reveal some interesting additional facts that I don’t believe were in the public domain before now and may be worth noting here.

The Verisign filing reveals, I believe for the first time, that the final Verisign bid for .web was $142 million. It only paid $135 million because that was runner-up Afilias’ final bid.

It also reveals that Verisign and NDC signed their “executory agreement” — basically, NDC’s promise to sign over .web if Verisign bankrolled its bid — in August 2015, nearly a year before the auction took place. NDC evidently kept its secret for a long time before rivals got suspicious.

The IRP panelist is scheduled to rule on Afilias’ request for a “stay of all ICANN actions that further the delegation of the .WEB gTLD” on January 28.

Exclusive gang of 10 to work on making ICANN the Whois gatekeeper

Kevin Murphy, December 14, 2018, Domain Services

Ten people have been picked to work on a system that would see ICANN act as the gatekeeper for private Whois data.

The organization today announced the composition of what it’s calling the Technical Study Group on Access to Non-Public Registration Data, or TSG-RD.

As the name suggests, the group is tasked with designing a system that would see ICANN act as a centralized access point for Whois data that, in the GDPR era, is otherwise redacted from public view.

ICANN said such a system:

would place ICANN in the position of determining whether a third-party’s query for non-public registration data ought to be approved to proceed. If approved, ICANN would ask the appropriate registry or registrar to provide the requested data to ICANN, which in turn would provide it to the third party. If ICANN does not approve the request, the query would be denied. 

There’s no current ICANN policy saying that the organization should take on this role, but it’s one possible output of the current Expedited Policy Development Process on Whois, which is focusing on how to bring ICANN policy into compliance with GDPR.

The new group is not going to make the rules governing who can access private Whois data, it’s just to create the technical framework, using RDAP, that could be used to implement such rules.

The idea has been discussed for several months now, with varying degrees of support from contracted parties and the intellectual property community.

Registries and registrars have cautiously welcomed the notion of a central ICANN gateway for Whois data, because they think it might make ICANN the sole “data controller” under GDPR, reducing their own legal liability.

IP interests of course leap to support any idea that they think will give them access to data GDPR has denied them.

The new group, which is not a formal policy-making body in the usual ICANN framework, was hand-picked by Afilias CTO Ram Mohan, at the request of ICANN CEO Goran Marby.

As it’s a technical group, the IP crowd and other stakeholders don’t get a look-in. It’s geeks all the way down. Eight of the 10 are based in North America, the other two in the UK. All are male. A non-zero quantity of them have beards.

  • Benedict Addis, Registrar Of Last Resort.
  • Gavin Brown, CentralNic.
  • Jorge Cano, NIC Mexico.
  • Steve Crocker, former ICANN chair.
  • Scott Hollenbeck, Verisign.
  • Jody Kolker, GoDaddy.
  • Murray Kucherawy, Facebook.
  • Andy Newton, ARIN.
  • Tomofumi Okubo, DigiCert.

While the group is not open to all-comers, it’s not going to be secretive either. Its mailing list is available for public perusal here, and its archived teleconferences, which are due to happen for an hour every Tuesday, can be found here. The first meeting happened this week.

Unlike regular ICANN work, the new group hopes to get its work wrapped up fairly quickly, perhaps even producing an initial spec at the ICANN 64 meeting in Kobe, Japan, next March.

For ICANN, that’s Ludicrous Speed.

Governments blast ICANN over Amazon gTLDs

Kevin Murphy, December 14, 2018, Domain Services

ICANN seems to have found itself in the center of a diplomatic crisis, after eight South American governments strongly denied they approve of Amazon being given the .amazon gTLD.

The Amazon Cooperation Treaty Organization, along with the government of Brazil, blasted ICANN CEO Goran Marby for multiple alleged “untrue, misleading, unfortunate and biased statements”, in a December 7 letter  (pdf) published yesterday.

ACTO claims that ICANN was “premature” and “ill-informed” when its board of directors un-rejected Amazon’s gTLD applications in an October resolution.

In bruising terms, the letter goes on to criticize Marby for failing to set up promised talks between ACTO and Amazon and then characterizing “informal” conversations with Brazil’s Governmental Advisory Committee rep as if they represented ACTO’s collective view.

It’s just about as harsh a critique of ICANN management by governments I’ve read.

Amazon, the retailer, has been trying to get .amazon, along with transliterations in Chinese and Japanese scripts, since 2012.

Its applications were rejected — technically, placed in “Will Not Proceed” status — after GAC advice in July 2013. The advice was full-consensus, the strongest type, after the lone holdout, the United States, at the time trying to win support for the IANA transition, bowed out.

The advice came because the ACTO countries believe “Amazon” is a geographic string that belongs to them.

But Amazon filed an Independent Review Process appeal with ICANN, which it won last year.

The IRP panel declared that the GAC advice was built on shaky, opaque foundations and that the committee should not have a blanket “veto” over new gTLD applications.

ICANN has ever since been trying to figure out a way to comply with the IRP ruling while at the same time appeasing the GAC and the ACTO countries.

The GAC gave it a little wriggle room a year ago when it issued advice that ICANN should “continue facilitating negotiations between the [ACTO] member states and the Amazon corporation”.

ICANN took this to mean that its earlier advice to reject the bids had been superseded, and set about trying to get Amazon and ACTO to come to an agreement.

Amazon, for its part, has offered ACTO nations a suite of cultural protections, an offer to support future applications for .amazonia or similar, and $5 million worth of products and services, including free Kindle devices.

It has also offered to bake a collection of Public Interest Commitments — these have never been published — into its registry contract, which would enable ACTO governments to bring compliance actions against the company in future. 

That proposal was made in February, and ICANN has supposed to have been facilitating talks ever since.

According to a timeline provided by Marby, in a November letter (pdf) to ACTO secretary general Jacqueline Mendoza, ICANN has been working in this facilitation role since November 2017.

Problem is, at almost every step of the way it’s been dealing with Brazilian GAC rep Benedicto Filho, rather than with Mendoza herself, apparently on the assumption that when he made noises favorable to the Amazon proposal he was speaking for ACTO. 

And that’s not the case, according to Mendoza and Filho, in the newly published letters.

Whatever input Filho had was in the context of “informal and general conversations in which it was repeatedly and clearly indicated that no country had any mandate to negotiate on behalf of the other members of ACTO”, Mendoza wrote.

Filho himself goes on to accuse Marby of several “gross misrepresentation[s]” and “flagrant inaccuracies”, in an increasingly strident set of three emails forward by Mendoza to Marby.

He claims that he informed Marby every step of the way that he was not authorized to speak on behalf of ACTO, and that the idea he was involved in “obscure and secret negotiations” is “offensive”.

It seems that either one or both men is bullshitting about the extent to which Filho represented himself as an ACTO rep, or there has been a genuine breakdown of communication. For want of any definitive evidence, it seems fair to give them both the benefit of the doubt for now.

The situation as it stands now is that ACTO has called off planned peace talks with Amazon, facilitated by Marby, and has filed a Request for Reconsideration in an attempt to overturn the ICANN board’s October resolution.

Mendoza says ACTO will not engage in talks concerning .amazon until this request has been processed. 

So the fate of .amazon now lies with ICANN’s Board Accountability Mechanisms Committee, which is responsible for rejecting processing reconsideration requests. The test is usually whether the requester has brought new information to light that was not available when the board made its decision.

BAMC can either figure out a way to accept the request and put .amazon back in its “Will Not Proceed” status, smoothing out the path to negotiations (re)opening but placing Amazon back in indefinite limbo, or it can reject it and risk ACTO walking away completely.

It’s a tricky spot to be in, and no mistake.

No more free transfers in Denmark

Kevin Murphy, December 12, 2018, Domain Services

The Danish ccTLD registry has announced that it is to introduce a charge for .dk transfers for the first time in January.

From the start of 2019, transfers between registrants will cost DKK 50 (about $7.50), DK Hostmaster said today.

Currently, transfers are free.

It appears that the new fee will be levied on the gaining registrant.

DK Hostmaster said that the fee is to cover “administrative costs”.

.dk has about 1.3 million domains under management.

ICANN outs two more deadbeat new gTLDs

Kevin Murphy, December 12, 2018, Domain Services

ICANN has published breach notices it has sent to two more new gTLD registries, which it says have failed to pay their quarterly accreditation fees.

One is a dot-brand, the other is not.

The brand is the Arabic اتصالات . (.xn--mgbaakc7dvf), managed by Emirati telecommunications powerhouse Etisalat.

With about $14 billion of annual revenue, no domains other than its obligatory NIC site, and an allegedly non-functioning contact phone number, it appears the UAE-based company may simply have forgotten its dot-brand exists.

The other registry allegedly in breach is Desi Networks, the US-based company that targets .desi at people hailing from the Indian subcontinent.

While it’s been on the market for over four years, and has an addressable market of over a billion people, .desi has failed to claw together much more than 3,700 domains under management.

I thought it would have performed better. The ccTLD for India has over two million domains, and the country has a thriving domain market.

With a retail price in the region of $20 per year, it’s easy to see why the .desi may be having trouble scraping together the $6,250 quarterly flat fee ICANN registry contracts demand.

Desi Networks also commits on its web site to donate some portion of its reg fees to worthy causes in the South Asian region, which was probably optimistic with hindsight.

ICANN first sent notices of late payment to both registries in September, but did not receive the requested money.

Both have until the first week of January to pay up, or ICANN will initiate termination proceedings.

Uniregistry calls for domain Bill of Rights as Schilling says Gab.com was not booted

Kevin Murphy, November 9, 2018, Domain Services

Uniregistry has called for a “Domain Bill of Rights” to protect free speech in a world were domain takedowns can be used to de-platform controversial speakers.

Meanwhile, CEO Frank Schilling has told DI that the company did not expel the right-wing social network Gab.com from Uniregistry’s platform, and would have allowed it to stay.

In a press release this week, Uniregistry COO Kanchan Mhatre said that while the company rejects “hatred and bigotry”, free speech is an “inalienable” human right.

The company called for the new agreement “to guarantee every domain name owner a formal ‘due process’ when being faced with accusations and demands for censorship”.

Schilling said that Uniregistry’s idea for a Domain Bill of Rights is still in the early stages. It has sketched out 10 draft bullet points but is not ready to publish them yet.

The press release was issued to coincide with Tim Berners-Lee’s proposal for a “Contract for the Web”, a set of broad principles governing rights and responsibilities online.

But it also coincided with the ongoing controversy over Gab.com, the microblogging platform favored by right-wing voices, including many white supremacists, that have been kicked off Twitter.

The guy who murdered 11 people at a Synagogue in Pittsburgh last month used Gab, a back-breaking straw which prompted GoDaddy to inform the network it intended to suspend its domain unless it was immediately moved to another registrar.

It’s not the first time GoDaddy has shut down the far right for breaching its terms of service. Last year, it took the same action against a neo-Nazi site.

The Gab.com domain briefly wound up at Uniregistry, before Epik CEO Rob Monster stated publicly that he would offer Gab a home. Gab took him up on his offer, and transferred away from Uniregistry.

Uniregistry’s Schilling confirmed that “We did not ask gab.com to leave our platform… they were welcome to stay subject to law”.

Monster said in a blog post largely praising Gab and founder Andrew Torba that “De-Platforming is Digital Censorship”. He noted that for Gab, “there is a duty to monitor and lightly curate, keeping content within the bounds of the law”.

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.

DomainTools tracks its one billionth domain

Kevin Murphy, August 10, 2018, Domain Services

DomainTools now has records of over a billion domain names in its database, according to the company.

The billionth name was added last month, according to a blog post.

The company notes that there are only about 350 million domains in existence today, meaning that twice as many domains have been deleted and never re-registered as are currently online.

For .com, DomainTools knows of 434 million domains that no longer exist, compared to the over 130 million registered today.

Even DomainTools, which has been collecting data for 17 years, knows its records are incomplete, but it reckons its number is probably within 10% of the total number of domains ever registered.

For new gTLDs, the one with the most deleted names is .realty (97% deleted) and the best is .boston (0.3% deleted), the company said.

More data here.

Can’t get enough GDPR? Come to my NamesCon panel

Kevin Murphy, June 4, 2018, Domain Services

NamesCon Europe is being held in Valencia, Spain, this week, the first time the NamesCon branding has been applied to the old Domaining Europe show.

Starting Thursday, it’s a two-day conference — or three if you count the social events planned for Saturday — with a varied agenda focused on domain investors.

The keynote will be given by Akram Atallah, president of ICANN’s Global Domains Division, on a so-far unspecified topic.

There will be about 20 sessions in total, organized in a single track and covering topics such as valuation, monetization, drop-catching, web development and legal issues facing domainers.

Expect speakers from the likes of Donuts, Sedo, the new gTLDs .club and .global, and a bunch of companies I’ve never heard of (a fact I hope to rectify).

Staff from NamesCon owner GoDaddy also have a decent presence among the speakers.

Domaining Europe was sold to NamesCon earlier this year and there’s going to be a short “handover ceremony” at the end of the show, followed by a performance by a band whose lineup feature the conference’s new CEO.

I’ll be hosting a panel comprising Blacknight CEO Michele Neylon and German lawyer Thomas Rickert on the General Data Protection Regulation on Thursday just before lunch.

If you no longer wish me to tell you this, please click here. But if, as a domainer, you feel there are important GDPR issues that should be discussed at the session, feel free to leave a comment below or shoot me an email.

As usual with shows like this, a big part of the value is in the networking, and there’s plenty of opportunities for socializing scheduled, including a “Disco Party!” slated to end at 5am.

NamesCon Europe tickets are still available, priced now at €786.50 ($922).

Disclosure: I’m paying my own way to the show but have a complimentary press pass.

Sedo’s cunning GDPR workaround

Kevin Murphy, May 23, 2018, Domain Services

With full Whois records set to disappear from public view for most domain names this Friday, auction house Sedo has had to resort to some technical trickery to enable its users to prove they own the domains they list for sale.

Until now, when listing a domain at Sedo, the company has checked whether the Whois record matches the data it has on file for the customer.

With that no longer possible in many cases, Sedo told users yesterday it instead wants them make updates to their DNS records, which will obviously remain public data post-GDPR.

Sedo will give each customer a personal identification number, which they will have to add to the all-purpose TXT field of their domain’s DNS record.

That’s a fairly straightforward process at most registrars, though volume domainers had better hope their registrar of choice allows DNS changes to be made in bulk.

Sedo’s calling the process “Owner Self-Verification”.

Customers who do not use the system will have to wait three business days before their names are verified. Sedo said it will manually spot-check domains and may ask for other forms of proof of ownership.

UPDATE: Many thanks to all the people on Twitter telling me this system has been in place for years. You’re all very clever. Your cookies/cigars are in the mail.